02-05-2021

Sophos Intrusion Detection



Introduction

At my home, I have a dedicated SuperMicro 1U server running Sophos UTM 9 version 9.355-1. I call it my router, buy it is a router, a firewall, a web proxy, an intrusion detection device and much more. All of this, free. It is an excellent product. If you don’t have it, you can see for yourself. They sell devices with the software on it, but you can also download a CD image or virtual drives to install it on a virtual machine.

For eicar.com and eicar.txt files, Sophos Home will trigger the following detections: If the on-access scanner is enabled and functioning correctly, you should see a detection. Web protection and web control Use the Sophos Web Security and Control Test Site by SophosLabs to test the Sophos web protection and web control functionality.

  • About Sophos Intrusion Prevention System A general definition of an IPS is: An Intrusion Prevention System (IPS) is a network security/threat prevention technology that examines network traffic flows to detect and prevent vulnerability exploits. As an inline security component, the IPS must work efficiently to avoid degrading network performance.
  • The EICAR test string is not a virus, it is an industry-standard detection test. Sophos Anti-Virus will report its presence as EICAR-AV-Test virus. Download the eicar string from the eicar website. Copy the string into a notepad and save it as eicar.txt.

On this device, i configured the “Web Filtering service” to act as a proxy. As I have a domain, I configured a GPO to push the windows proxy settings to all my computers joined to the domain. Finally, I configured a server in “Authentication Services” to make the device join my domain and use it to synchronise the domain users for the proxy authentication.

The Problem

All went fine, really fine. I have a lot of statistics concerning the internet usage on my network. I can select hundreds of web site categories and decide to block them, allow them or put a quota on it. I can also configure fancy rules to decide what I allow to go through and what I want to block.

The problem I had is, OneDrive could not get through. The first symptoms was with my OneNote notebooks I share with OneDrive, they were not able to synchronize. The first error, indicating a synchronisation error with a 0x80004005 error code and another saying he needed the password with a 0xE4010668 error code. As these errors disappeared as soon a I deactivated the proxy, I knew I had to create an exception rule.

On the Sophos device, there is a multitude of exceptions already configured in the “Web Protection / Filtering Options / Exceptions” section. I did some Google Fu, found some posts who guided me, but nothing to solve my problem.

The first circle of hell I encountered is, Sophos says the rules can specify URL based on regular expressions. I spent half an hour examining URLs rejected by the proxy who looked related to OneDrive and built tested regular expressions and pasted them in my exception rule but there was no effect. So, I spend another ten minutes trying to find why they were ignored.

A Way Out

As I found out, I had to use expressions based on regular expressions, not real regular expressions. For exemple, an expression to let through “https://my.domain.com” could be “^https:[/][/]my[.]domain[.]com[/]“, or “^https://my.domain.com/“. But for Sophos, it should be “^https://my.domain.com/“… I found out by examining already configured rules. Knowing that, google brought me the details for building a valid expression. I then transformed them and generated my exception rule, adding URL expressions one by one until my OneNote was able to sync and my OneDrive folders also.

Follow The Dotted Line

Sophos Intrusion Detection

  • In the WebAdmin page of Sophos UTM, go to “Web Protection”, then “Filtering Options”.
  • Press the “New Exception List…” button.
  • Give a name to the exception, I used “OneDrive”, and check all the following check-boxes. Maybe I should have left some alone, but in my opinion, I can leave everything open concerning OneDrive.
  • In the “For all requests” section, select “Matching these URLs” and add the following expressions.

^https://[^.]*.hotmail.com/
^https://[^.]*.storage.live.com/
^https://[^.]*.docs.live.net/
^https://onedrive.live.com/
^https://[^.]*.officeapps.live.com/

  • Save this and activate the rule by turning the switch on.
  • Let a few seconds for Sophos to refresh his rules list and resync your OneNote and/or OneDrive.

Update – 2016.04.05

In a report, I have seen there is a “Personal Network Storage” category in the pre-configures filtered URL categories. I thought I would not need my custom filter if I disable this category from the filter, but I was wrong.

I disabled my custom filter and unchecked the “Personal Network Storage” from the list of blocked categories. I then tried to synchronize my OneNote notebooks and it didn’t work.

So, I left the “Personal Network Storage” category unchecked and activated my custom filter.

To find this category and uncheck it, in the WebManager interface, go to “Web Protection”, “Filtering Options” section and then in the “Categories” tab. Go to the “Private Homepages” item, click “Edit” and you will see it there.

Sophos xg intrusion detection

Introduction

At my home, I have a dedicated SuperMicro 1U server running Sophos UTM 9 version 9.355-1. I call it my router, buy it is a router, a firewall, a web proxy, an intrusion detection device and much more. All of this, free. It is an excellent product. If you don’t have it, you can see for yourself. They sell devices with the software on it, but you can also download a CD image or virtual drives to install it on a virtual machine.

On this device, i configured the “Web Filtering service” to act as a proxy. As I have a domain, I configured a GPO to push the windows proxy settings to all my computers joined to the domain. Finally, I configured a server in “Authentication Services” to make the device join my domain and use it to synchronise the domain users for the proxy authentication.

The Problem

All went fine, really fine. I have a lot of statistics concerning the internet usage on my network. I can select hundreds of web site categories and decide to block them, allow them or put a quota on it. I can also configure fancy rules to decide what I allow to go through and what I want to block.

The problem I had is, OneDrive could not get through. The first symptoms was with my OneNote notebooks I share with OneDrive, they were not able to synchronize. The first error, indicating a synchronisation error with a 0x80004005 error code and another saying he needed the password with a 0xE4010668 error code. As these errors disappeared as soon a I deactivated the proxy, I knew I had to create an exception rule.

Sophos Intrusion Detection

On the Sophos device, there is a multitude of exceptions already configured in the “Web Protection / Filtering Options / Exceptions” section. I did some Google Fu, found some posts who guided me, but nothing to solve my problem.

The first circle of hell I encountered is, Sophos says the rules can specify URL based on regular expressions. I spent half an hour examining URLs rejected by the proxy who looked related to OneDrive and built tested regular expressions and pasted them in my exception rule but there was no effect. So, I spend another ten minutes trying to find why they were ignored.

A Way Out

As I found out, I had to use expressions based on regular expressions, not real regular expressions. For exemple, an expression to let through “https://my.domain.com” could be “^https:[/][/]my[.]domain[.]com[/]“, or “^https://my.domain.com/“. But for Sophos, it should be “^https://my.domain.com/“… I found out by examining already configured rules. Knowing that, google brought me the details for building a valid expression. I then transformed them and generated my exception rule, adding URL expressions one by one until my OneNote was able to sync and my OneDrive folders also.

Sophos Intrusion Detection Software

Follow The Dotted Line

  • In the WebAdmin page of Sophos UTM, go to “Web Protection”, then “Filtering Options”.
  • Press the “New Exception List…” button.
  • Give a name to the exception, I used “OneDrive”, and check all the following check-boxes. Maybe I should have left some alone, but in my opinion, I can leave everything open concerning OneDrive.
  • In the “For all requests” section, select “Matching these URLs” and add the following expressions.

^https://[^.]*.hotmail.com/
^https://[^.]*.storage.live.com/
^https://[^.]*.docs.live.net/
^https://onedrive.live.com/
^https://[^.]*.officeapps.live.com/

  • Save this and activate the rule by turning the switch on.
  • Let a few seconds for Sophos to refresh his rules list and resync your OneNote and/or OneDrive.

Update – 2016.04.05

In a report, I have seen there is a “Personal Network Storage” category in the pre-configures filtered URL categories. I thought I would not need my custom filter if I disable this category from the filter, but I was wrong.

I disabled my custom filter and unchecked the “Personal Network Storage” from the list of blocked categories. I then tried to synchronize my OneNote notebooks and it didn’t work.

So, I left the “Personal Network Storage” category unchecked and activated my custom filter.

To find this category and uncheck it, in the WebManager interface, go to “Web Protection”, “Filtering Options” section and then in the “Categories” tab. Go to the “Private Homepages” item, click “Edit” and you will see it there.